Snort mailing list archives
Re: Home Net
From: Chris Green <cmg () uab edu>
Date: Mon, 26 Nov 2001 20:03:08 -0600
"jamesh" <jamesh () cybermesa com> writes:
Is there an advantage (in terms of function of Snort) to specifying mail, dns, sql, ect servers instead of pointing all this to $HOME_NET ?
The more targeted you can make your ruleset, the better. If you control all the machines on your subnet and know when services are enabled disabled ( using regular portscans or the like ), setting up small $EMAIL_SERVERS etc. could be beneficial ( you could end up slowing it down if you did massive lists of non contiguous ips though ). The biggest benefit is if you know what vulnerabilities could be critical for your servers versus noncritical ( so you can know how quickly to act ) More often in the world I live in, we have no idea what all people are running at any given time and given that you'll generally only see traffic when a machine is running a particular service, using a set of rules that all point to HOME_NET is the practical thing to do. -- Chris Green <cmg () uab edu> A watched process never cores. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Home Net jamesh (Nov 26)
- Re: Home Net Chris Green (Nov 26)